Jump to content
PA.Dutchman

What is Emotet? Our city hall has been struck down by this

Recommended Posts

Emotet is not a virus.  It is a trojan.  It does not self replicate and needs assistance to spread. 

It is one of a series of trojans that are generated by malicious actors to be delivered using email.  Either as a direct and/or as an indirect attachment or by including a link to a download which may be a MS Word document file.  The email and the Word Document are deliberately malicious.  They will use Social Engineering techniques such as Spear Phishing to target its victim.  If people do not use Critical Thought their first line of defense is broken.  One must identify that the email is illegitimate.  Often they will pretend to be Bill for Services or something to that effect.  If the recipient does not know the person or the entity that is being purported to have that Bill for Services then that should be Red Flag #1.  If it has an attachment, that attachment should NOT be opened and the email should go to the IT support team.  If it is an individual, just delete the email.  If the email has a link, just delete the email.  Spear Phishing is a Social Engineering technique where the offender knows something about their adversary and concocts a story, event or situation that is inline with with the adversary or the adversaries line of business.  They use text and information that falls inline with the victim or the victim's business model and then target them such that ploy breaks down their defenses and makes the ploy more receptive and/or believable.

If the City of Allentown was infected it is because the personnel have NOT been properly trained.  They need what is called Situational Awareness Training.  Situational Awareness is the BEST defense and that starts with education and the identification of current events and trends.  That training is provided to employees of government, municipalities and businesses on a regular periodic basis.  That training will provide information on current malicious activity, how to identify them and how to act in the event of one being confronted by such a threat.  Such training greatly diminishes the threat because personnel can identify the threat and have been trained on how to act when the threat is realized.  The organization must train their personnel and must have protocols in-place for both detection and handling of such threats.

References:

https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/

https://en.wikipedia.org/wiki/Emotet

https://en.wikipedia.org/wiki/Situation_awareness

 

 

EDIT:

Here is a perfect example of one such email.

Hello ,


Inserted is the paid invoice for e/z 02/23/2018 and the credit card receipt for the prepayfor s/a 02/23/2018. Thanks!

> http://onny.com.au/Outstanding-Invoices/



Many Thanks

Simmee 

RE:  Payload from DOC file

Edited by David H. Lipman
Edited for content, clarity, spelling and grammar

Share this post


Link to post
Share on other sites

emotet are usually multi-staged attack usually arrive from malicious docms or such and then drop their #banker payload.

Keep in mind that the docms that may actually belong to emotet campaign may even drop other commodity malware like #trickbot or #lokibot and even #rats.

Edited by trueindian

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.